← Back to PRS Shield

Privacy Notice

Last updated: March 2026

1. Who we are

Fundsure Ltd is registered in England and Wales (Company number 12804657). Our registered address is 3rd Floor, 45 Albemarle Street, Mayfair, London, W1S 4JL. We trade as PRS Shield at prs-shield.co.uk.

We are registered with the Information Commissioner's Office (ICO reference ZB012773) and are the data controller for all personal data processed through PRS Shield.

We are supervised by HMRC as a Trust or Company Service Provider (TCSP) under the Money Laundering Regulations 2017 (reference XKML00000206994).

Contact us at: support@prs-shield.co.uk

2. What data we collect

The personal data we collect depends on how you use PRS Shield. We collect only what is necessary for the specific purpose.

Landlord account data

Name, email address, phone number, business address. Collected when you register for PRS Shield.

Property data

Property addresses, type, certificate expiry dates (gas safety, EICR, EPC), deposit protection details, licensing references, and related compliance information.

Tenant data

Full name, date of birth, nationality, email address, phone number, and right to rent status. Collected as part of the tenancy management and compliance checking process.

Compliance check data

AML screening results, sanctions check outcomes, Right to Rent verification results, and related reports generated by SmartSearch on our behalf.

Document data

Certificates, tenancy agreements, and other documents uploaded to the platform. Where AI-assisted document scanning is used (Portfolio and Standard tiers), document images are processed by Anthropic's Claude API to extract dates and reference numbers. No document content is retained by Anthropic.

Rent ledger data

Rent ledger entries, payment amounts, dates, and notes manually entered by you. Subscription billing is handled by Stripe — we do not store your card details.

Usage and audit data

Login times, actions taken within the platform, and compliance events. Maintained as an immutable audit trail to support regulatory obligations and dispute resolution.

3. Why we collect it and our lawful basis

We collect and process personal data for the following purposes and on the following lawful bases under UK GDPR Article 6:

Delivering the PRS Shield service

Lawful basis: Contract performance (Article 6(1)(b)). We need to process your account, property, and tenancy data to provide the platform you have subscribed to.

AML and sanctions compliance checks

Lawful basis: Legal obligation (Article 6(1)(c)). We are supervised by HMRC under the Money Laundering Regulations 2017 and are required to conduct and retain AML and sanctions checks on relevant persons.

Right to Rent verification

Lawful basis: Legal obligation (Article 6(1)(c)) and contract performance (Article 6(1)(b)). Right to Rent checks are required by the Immigration Act 2014.

Audit trail and compliance records

Lawful basis: Legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)). Records are maintained to satisfy regulatory obligations and to protect both landlords and Fundsure in the event of disputes.

Service improvement and fraud prevention

Lawful basis: Legitimate interests (Article 6(1)(f)). We have a legitimate interest in ensuring the platform operates correctly and is not misused.

4. How long we keep it

AML and compliance check records

Six years from the date of the check, consistent with HMRC's record-keeping requirements under the Money Laundering Regulations 2017 and the general civil claims limitation period.

Tenancy and property records

Six years from the end of the tenancy, to support any potential deposit disputes, disrepair claims, or regulatory enquiries.

Account data

For the duration of your subscription, plus six years following termination.

Audit logs

Six years, to support regulatory obligations and dispute resolution.

All data is stored on Supabase's infrastructure (AWS EU-West-2, London region), which holds SOC 2 Type II certification. Data is encrypted at rest (AES-256) and in transit (TLS 1.2 minimum).

5. Who we share it with

We share personal data only where necessary to deliver the service or meet a legal obligation. We never sell your data.

  • SmartSearch (Landmark Information Group) — AML screening, sanctions checks, and Right to Rent digital identity verification. SmartSearch is certified against the UK Government's Digital Identity and Attributes Trust Framework (DIATF) and listed on the DVS Register maintained by the Office for Digital Identities and Attributes (OfDIA). Data shared: tenant name, date of birth, address.
  • Supabase — database and file storage hosting. Hosted on AWS EU-West-2 (London). SOC 2 Type II certified. Acts as our data processor under a Data Processing Agreement.
  • Vercel — platform hosting and content delivery. SOC 2 Type II certified. No persistent personal data is stored on Vercel infrastructure.
  • Stripe — subscription billing and payment processing. PCI DSS Level 1 certified. We do not store card details.
  • BoldSign — electronic signatures for tenancy agreements. Tenant and landlord names and email addresses are shared for signing purposes.
  • Resend — transactional email delivery. Email addresses and relevant notification content are processed to deliver platform emails.
  • Anthropic (Claude API) — AI-assisted document analysis (OCR and data extraction from uploaded certificates). Document images are processed transiently and are not retained by Anthropic.
  • HMRC — as required by our AML supervision obligations under the Money Laundering Regulations 2017.
  • National Crime Agency — if a Suspicious Activity Report is required by law.

6. International transfers

Your data is stored in the UK (AWS EU-West-2, London region) and does not leave the UK as part of our standard operations. Some of our processors (including Anthropic, Stripe, and Vercel) are US-based companies. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or equivalent mechanisms.

7. Automated decision-making

PRS Shield automatically calculates a red/amber/green compliance status for each property based on certificate expiry dates. This is a presentation tool only — no decision with legal or significant effect on any person is taken automatically. UK GDPR Article 22 does not apply.

8. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

Right of access

You can request a copy of the personal data we hold about you. We will respond within 30 days.

Right to rectification

You can ask us to correct inaccurate or incomplete data. We will respond within 30 days.

Right to erasure

You can ask us to delete your personal data. This right is subject to legal retention obligations — for example, AML records must be kept for six years by law. Where we cannot delete data immediately, we will explain why and confirm when deletion will occur.

Right to restriction

You can ask us to restrict processing of your data while a request is being resolved.

Right to data portability

Where processing is based on consent or contract, you can request your data in a structured, machine-readable format.

Right to object

You can object to processing based on legitimate interests. We will consider your objection and respond within 30 days.

To exercise any of these rights, contact us at support@prs-shield.co.uk. We will acknowledge your request within five working days and respond in full within 30 days. There is no charge for exercising your rights.

You also have the right to complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

9. Security

We take the security of your data seriously. Technical measures include:

  • Encryption at rest (AES-256) and in transit (TLS 1.2 minimum)
  • Row-level security enforced at the database layer — each landlord can only access their own data
  • Multi-factor authentication on all administrative systems
  • Annual independent penetration testing
  • Automated dependency scanning and vulnerability management

If you believe your account has been compromised or you have a security concern, contact us immediately at support@prs-shield.co.uk.

10. Cookies

See our Cookie Policy for details on how we use cookies.

11. Changes to this notice

We may update this notice from time to time, for example when we add new features or when regulatory requirements change. The latest version will always be available at this page. Where changes are material, we will notify you by email. Last updated: March 2026.